Qilin

Threat Actor updated 15 days ago (2024-08-24T01:18:12.022Z)

Download STIX

Preview STIX

The Qilin ransomware group, a malicious threat actor in the cybersecurity landscape, has been active since at least 2022 and gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group was later associated with Octo Tempest, which added Qilin ransomware to its arsenal, thereby expanding its capabilities for cyberattacks. Qilin's activities have evolved over time, demonstrating increasingly sophisticated tactics such as rebooting infected machines in safe mode to bypass security tools, indicating an escalating threat level. In July 2024, Sophos' Incident Response team observed Qilin's activity on a domain controller within an organization's Active Directory domain. The operators of Qilin leveraged a Group Policy Object (GPO) to execute a script each time a user logged into an endpoint. This strategy resulted in different impacts on various domain controllers within the same network. Qilin also targeted the network assets of organizations and stole credentials stored in Google Chrome browsers from compromised endpoints, further highlighting their evolving strategies. One of the most significant attacks attributed to Qilin was on the automotive giant Yanfeng. Victims of this variant of Qilin ransomware attack were advised to reset all Active Directory passwords and warn users to change passwords for sites saved in their Chrome browsers. As the Qilin group continues to expand its repertoire of techniques and changes its tactics, organizations are urged to remain vigilant and reinforce their cybersecurity defenses to counter these emerging threats.

Description last updated: 2024-08-24T01:15:38.106Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Octo Tempest	2	Octo Tempest, a known threat actor in the cybersecurity landscape, has recently added RansomHub and Qilin ransomware to its arsenal of cyber weapons. This expansion of their capabilities marks a significant escalation in their potential for harm and demonstrates a clear evolution towards more sophis
Ransomhub	2	RansomHub, a threat actor group, has emerged as a significant cyber threat since its inception in February. The group employs a double-extortion strategy, which involves both encrypting IT systems and exfiltrating data to extort victims. RansomHub is known for its unique approach to ransom demands,

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Extortion

Malware

RaaS

Linux

Credentials

Ransom

Nhs

Chrome

Data Leak

Cybercrime

Phishing

Esxi

Encryption

Rust

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	3	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
Black Basta	Unspecified	2	Black Basta is a notorious malware group known for its ransomware activities. The group has been active since at least early 2022, during which time it has accumulated an estimated $107 million in Bitcoin ransom payments. It leverages malicious software to infiltrate and exploit computer systems, of
Hive	Unspecified	2	Hive is a malicious software (malware) that has been used by the cybercriminal group, Hunters International, to launch ransomware attacks since October of last year. The group operates as a ransomware-as-a-service (RaaS) provider, spreading Hive rapidly through collaborations with less sophisticated

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Scattered Spider	Unspecified	2	Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to vic
Bianlian	Unspecified	2	BianLian is a significant threat actor within the cybersecurity landscape, known for its malicious activities and cyber-attacks. The group has been particularly active in exploiting bugs in JetBrains TeamCity, a popular continuous integration and deployment system used by software development teams.
Alphv	Unspecified	2	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Source Document References

Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	10 days ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Checkpoint	12 days ago	26th August – Threat Intelligence Report - Check Point Research
Securityaffairs	15 days ago	Qilin ransomware steals credentials stored in Google Chrome
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	a month ago	#BHUSA: 17.8m Phishing Emails Detected in First Half of 2024
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
BankInfoSecurity	2 months ago	Synnovis Attack Halts 8,000 NHS Patient Procedures So Far
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	2 months ago	Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
Securityaffairs	2 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading	2 months ago	Microsoft: Scattered Spider Widens Web With RansomHub & Qilin
InfoSecurity-magazine	2 months ago	Ransomware Surges Annually Despite Law Enforcement Takedowns
InfoSecurity-magazine	2 months ago	Ransomware Attack Demands Reach a Staggering $5.2m in 2024
BankInfoSecurity	3 months ago	As Britain's NHS Faces Data Leak, Never Normalize Ransomware
BankInfoSecurity	3 months ago	Qilin Ransomware Group Leaks NHS Data
InfoSecurity-magazine	3 months ago	Synnovis Attackers Publish NHS Patient Data Online
BankInfoSecurity	3 months ago	UK Pathology Lab Ransomware Attackers Demanded $50 Million